diff --git a/roles/debian/nginx/templates/vhost_letsencrypt.j2 b/roles/debian/nginx/templates/vhost_letsencrypt.j2 index b66b35b02..bef81f556 100644 --- a/roles/debian/nginx/templates/vhost_letsencrypt.j2 +++ b/roles/debian/nginx/templates/vhost_letsencrypt.j2 @@ -7,6 +7,7 @@ server { listen 80; {% endif %} server_name {{ domain.server_name }}; + root /tmp; error_log {{ domain.error_log }} {{ domain.error_log_level }}; access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }}; # Proxy for certbot (LetsEncrypt) diff --git a/roles/debian/ssl/README.md b/roles/debian/ssl/README.md index 129a9ea0c..1b43cfdc6 100644 --- a/roles/debian/ssl/README.md +++ b/roles/debian/ssl/README.md @@ -22,7 +22,7 @@ location /.well-known/acme-challenge/ { } ``` -If you are using LetsEncrypt handling combined with our `nginx` role and you set `ssl.http_01_port` then it should take care of the proxying, for example: +If you are using LetsEncrypt handling combined with our `nginx` role and you set `ssl.http_01_port` and `ssl.web_server` to `standalone` then it should take care of the proxying, for example: ```yaml nginx: @@ -38,13 +38,30 @@ nginx: services: [] web_server: standalone certbot_register_command: "certonly --standalone --agree-tos --preferred-challenges http -n" - certbot_renew_command: "certonly --standalone --agree-tos --force-renew" + on_calendar: "Mon *-*-* 04:00:00" + reload_command: reload + reload: + - nginx +``` +webroot option +```yaml +nginx: + domains: + - # other domain variables here + ssl: + domains: + - "{{ _domain_name }}" + handling: letsencrypt + autorenew: true + email: administrator@example.com + services: [] + web_server: webroot + certbot_register_command: "certonly --standalone --agree-tos --preferred-challenges http -n" + on_calendar: "Mon *-*-* 04:00:00" reload_command: reload reload: - nginx ``` -Variable "on_calendar" is no longer in use since we have 1 general cron to renew all domains - "web_server" can be standalone and webroot, differnce is that webroot wont start webserver to validate SSL, while standalone requires port on which webserver will be running in order to validate cert so we need the "http_01_port" for standalone option As in the example above, you need to include *all* variables required by the `letsencrypt` SSL handler because defaults will not load from the `ssl` role in this context. diff --git a/roles/debian/ssl/defaults/main.yml b/roles/debian/ssl/defaults/main.yml index 9e829468f..201a7eab2 100644 --- a/roles/debian/ssl/defaults/main.yml +++ b/roles/debian/ssl/defaults/main.yml @@ -33,12 +33,10 @@ ssl: http_01_port: 80 # you can set a non-standard port to listen on, but certbot still needs port 80 - see https://letsencrypt.org/docs/challenge-types/#http-01-challenge # For "letsencrypt" auto renewal autorenew: false # set to true to create a systemd timer to renew LE certs - certbot_renew_command: "certonly --agree-tos --force-renew" # root of the command used in the systemd timer - # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events - on_calendar: "Mon *-*-* 04:00:00" + on_calendar: "Mon *-*-* 04:00:00" # this is still needed to define when the cron will run, and it's needed in each ssl item not to break task web_server: standalone # values are standalone, webroot, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! - # webroot unlike standalone, won't start webserver with certain port + # webroot unlike standalone, won't start webserver with certain port, so we can remove http_01_port # For "letsencrypt" handling, a list of service to stop while creating the certificate. # This is because we need port 80 to be free.